DPDP Rules, 2025 are now in effect. See where your business stands, in 3–5 minutes.Find out — free →
Industry Guide · Recruitment Agencies

Your recruitment agency does not just forward CVs. It moves candidate data across clients, tools and teams.

From job portals, LinkedIn, WhatsApp and email to ATS tools, Excel trackers, client hiring managers, background-verification vendors and old candidate databases — recruitment agencies handle personal data at every step. This 3-minute scan shows where DPDPA exposure may arise.

Most recruitment agencies don't have a CV-collection problem — they have a candidate-data movement problem.

Start Recruitment Risk Scan 3 minutes · 10 questions · free · no login
CVsCandidate ConsentJob PortalsLinkedInATSWhatsAppClient SharingBGVSalary SlipsRejected ProfilesAI Screening

Your candidate-data risk map

The free scan scores your agency across these five areas. Here is what each one looks at.

Candidate sourcing risk

Naukri/LinkedIn/Indeed, WhatsApp referrals, walk-ins, scraped public profiles, reused old databases and client-provided lists.

First move: Define approved sourcing channels, avoid unmanaged scraping, and give candidates a clear notice of how their profile is used.

Candidate document risk

CVs, PAN/Aadhaar, salary slips, bank details, BGV records, psychometric scores and health/diversity data.

First move: Collect high-impact documents only when needed, with stronger access and retention controls.

Client sharing risk

CVs forwarded by email/WhatsApp, bulk CV folders, Excel trackers, or clients given access to your ATS/database.

First move: Share only relevant shortlisted profiles through controlled channels; avoid bulk folders and uncontrolled forwarding.

ATS, tool & access risk

ATS, Excel trackers, Drive folders, email, WhatsApp, recruiter laptops, BGV vendors and AI screening tools.

First move: Map where candidate data sits, restrict access, and remove ex-recruiter and freelancer access promptly.

Retention & rights readiness risk

Rejected/inactive CVs, phone numbers, salary details and documents kept for years for 'future roles'.

First move: Define a retention + deletion schedule and a clear way for candidates to correct, delete or withdraw.

How the 3-minute scan works

1

Answer 10 quick questions

About candidate sourcing, documents, client sharing, ATS access, retention and candidate rights. ~3 minutes.

2

See your readiness score + risk map

A 0–100 DPDPA readiness score, your risk band, and five recruitment-specific risk areas.

3

Get your priority fixes + checklist

The five controls to start with, plus the Recruitment Agency DPDPA Starter Checklist.

Start Recruitment Risk Scan

What the scan checks

Ten plain-English questions across your real candidate-data workflows.

What recruitment/staffing models you run and the candidate data you hold
Where candidate profiles come from — portals, LinkedIn, referrals, scraping, reused databases
Whether identity/salary/BGV documents are collected earlier than needed
How candidates are told their profile will be stored and shared
How CVs are shared with clients — email, WhatsApp, bulk folders, ATS access
Who inside your agency can access candidate records — including freelancers and ex-staff
Which tools store candidate data — ATS, Excel, Drive, WhatsApp, laptops, AI tools
How long rejected/inactive profiles are kept and whether candidates can be removed

Recruitment agency DPDPA questions

Does the DPDPA apply to recruitment agencies?

Yes. Recruitment agencies process personal data of candidates — names, contact details, CVs, experience, salaries, and identity documents — making them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. Compliance obligations apply regardless of agency size.

Do we need consent before sharing a candidate's CV with a client company?

Yes. Sharing a candidate's CV with a client is a disclosure of personal data to a third party. Under DPDPA, you must have valid consent from the candidate that covers this purpose. The consent notice must clearly state that CVs may be shared with prospective employers.

How long can we keep candidate data in our ATS after a placement or rejection?

DPDPA requires data to be deleted once the purpose for which it was collected is fulfilled. For candidates not placed, a reasonable retention window is 12–24 months for potential future roles, after which data should be erased unless the candidate opts in to remain in your database.

Are background check documents like Aadhaar and PAN copies covered under DPDPA?

Yes. Aadhaar numbers and PAN details are personal data under DPDPA. Recruitment agencies must collect only what is necessary for the specific check, store it securely with restricted access, and delete it once the verification purpose is complete.

What should we do if a candidate asks to erase their data?

Under Section 13 of the DPDPA, candidates have the right to erasure of personal data no longer needed for the purpose it was collected. You must acknowledge the request, verify identity, and erase the data unless retention is required by law. A documented process with a response timeline is recommended.

Take the free scan

10 questions · 3 minutes · free · no login. Get your agency's DPDPA readiness score.

Start Recruitment Risk Scan →

Free Guide

DPDPA compliance guide for Indian businesses.

Download the Guide →

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.